Tech —

Apple hides account info in DRM-free music, too

Just because it lacks DRM doesn't mean you should toss all your iTunes music …

With great power comes great responsibility, and apparently with DRM-free music comes files embedded with identifying information. Such is the situation with Apple's new DRM-free music: songs sold without DRM still have a user's full name and account e-mail embedded in them, which means that dropping that new DRM-free song on your favorite P2P network could come back to bite you.

We started examining the files this morning and noticed our names and e-mail addresses in the files, and we've found corroboration of the find at TUAW, as well. But there's more to the story: Apple embeds your account information in all songs sold on the store, not just DRM-free songs. Previously it wasn't much of a big deal, since no one could imagine users sharing encrypted, DRMed content. But now that DRM-free music from Apple is on the loose, the hidden data is more significant since it could theoretically be used to trace shared tunes back to the original owner. It must also be kept in mind that this kind of information could be spoofed.

Concerned users could convert selections to MP3, but there will be a generational loss in quality resulting from the transcoding. We also have to wonder: who is buying DRM-free music with the plans of slapping it up on a P2P share, anyway? It's not like there aren't dozens of other ways to get access to music without paying for it.

What would Apple do with the info?

The big question, of course, is what might Apple do with this information? Because it can be spoofed, it's not exactly the best way to determine who is sharing music, and in any case, tracing a link back such as this would leave a copyright holder in a gray area. Embedded data or not, the mere presence of the data in a file found on a share is not an unassailable indicator of copyright infringement.

That said, it would be trivial for iTunes to report back to Apple, indicating that "Joe User" has M4As on this hard drive belonging to "Jane Userette," or even "two other users." This is not to say that Apple is going to get into the copyright enforcement business. What Apple and indeed the record labels want to watch closely is: will one user buy music for his five close friends? The entertainment industry is obsessed with the idea of "casual piracy," or the occasional sharing of content between friends. I wouldn't be surprised if some data was being analyzed in aggregate, although Apple's current privacy policy does not appear to allow for this. As with the dust-up over the mini-store, Apple should clarify what this embedded data is used for.

We've contacted Apple for a response but have not heard back from the company.

Ken Fisher
Ken is the founder & Editor-in-Chief of Ars Technica. A veteran of the IT industry and a scholar of antiquity, Ken studies the emergence of intellectual property regimes and their effects on culture and innovation. Emailken@arstechnica.com//Twitter@kenfisher